Most of the more—for lack of a better word—hardcore distros like Gentoo and Slackware have been patched for a week or so. Also, certain configurations were not vulnerable at all, and others were technically vulnerable, but not with the published exploits.
For the ultra-paranoid, here are some things you can do:
Patch your own kernel straight from the git branch. This is something that is fairly difficult to figure out the first time, but actually pretty easy to maintain once it is set up. Your distro of choice probably maintains their own public git branches for their kernels, which most likely merged in the published fix branch close to two weeks ago for testing. Even if they are waiting for it to go into the official upstream release, git makes it super easy to merge branches from many different sources, so you don't have to wait yourself.
Configure your kernel for the bare minimum of features you actually need. It is my understanding that this vulnerability isn't a problem if certain options needed for virtualization are turned off. By contrast, stock distro kernels enable everything to be able to cater to everyone. Also, the published exploit relies on the kernel symbol table being available in /proc/kallsyms. This option can be turned off and there's no reason most everyone would ever need it.
Use mandatory access control to give your guest users and internet-exposed apps the bare minimum privileges necessary.
The downside of all that precaution is that you're more likely to break your system, which is why most user-oriented distros take their time with testing.
Actually a patch was written on September 14th and can be found here and here. However this patch has not been merged over to the mainline. Kernel programming is very difficult. A patch can break compatibility or cause the system to behave incorrectly. Microsoft usually takes 1 month to write a patch for anything, even notepad.
Often times an attacker can compromise a user-level process such as one of your Daemons (unrealircd or sendmail). Or even more likely a web application like Wordpress or PHP-Nuke. At this point the attacker has a user account and can obtain root if he needs it. So privilege escalation exploit like this is often used in a chain with other exploits.
For the more community-oriented distributions (Debian, Fedora, openSUSE, Ubuntu, and others), the response has been somewhat mixed. Ubuntu, Debian, and Fedora had fixes out on September 17 for both bugs (or, in the case of Debian, just one, as its stable distribution ("Lenny") is based on 2.6.26 and thus not vulnerable CVE-2010-3301). openSUSE has yet to release a fix and none of the secondary distributions that we track (Gentoo, Mandriva, Slackware, etc.) has put out a fix either.
So if your ubuntu is really up-to-date, it shouldhave been safe quite early. Plus I remember seeing the update relatively soon after the bug was announced.
So either the fix is incorrect, or your system are not updated correctly, and have not been for something like two weeks. Kernel updates need a reboot of your system.
发布评论
评论(3)
大多数(找不到更好的词)像 Gentoo 和 Slackware 这样的硬核发行版已经修补了一周左右的时间。此外,某些配置根本不易受到攻击,而其他配置在技术上也容易受到攻击,但在已发布的漏洞中则不然。
对于极度偏执的人,您可以执行以下操作:
所有这些预防措施的缺点是您更有可能破坏系统,这就是为什么大多数面向用户的发行版花时间进行测试的原因。
Most of the more—for lack of a better word—hardcore distros like Gentoo and Slackware have been patched for a week or so. Also, certain configurations were not vulnerable at all, and others were technically vulnerable, but not with the published exploits.
For the ultra-paranoid, here are some things you can do:
The downside of all that precaution is that you're more likely to break your system, which is why most user-oriented distros take their time with testing.
实际上,补丁已于 9 月 14 日编写,可以找到 此处 和 此处。然而这个补丁还没有被合并到主线上。内核编程非常困难。补丁可能会破坏兼容性或导致系统行为不正确。微软通常需要1个月的时间来为任何东西编写补丁,甚至是记事本。
通常,攻击者可能会破坏用户级进程,例如您的守护进程之一(unrealircd 或 sendmail)。或者更有可能是像 Wordpress 或 PHP-Nuke 这样的 Web 应用程序。此时攻击者已经拥有了一个用户帐户,并且如果需要的话可以获得root。因此,像这样的特权升级漏洞通常与其他漏洞利用链一起使用。
更令人担忧的是,Toravolds 因 静默补丁。这也是 Microsoft 喜欢的消遣。
Actually a patch was written on September 14th and can be found here and here. However this patch has not been merged over to the mainline. Kernel programming is very difficult. A patch can break compatibility or cause the system to behave incorrectly. Microsoft usually takes 1 month to write a patch for anything, even notepad.
Often times an attacker can compromise a user-level process such as one of your Daemons (unrealircd or sendmail). Or even more likely a web application like Wordpress or PHP-Nuke. At this point the attacker has a user account and can obtain root if he needs it. So privilege escalation exploit like this is often used in a chain with other exploits.
On a more concerning note Toravolds is notorious for silent patches. This is also a pastime that Microsoft enjoys.
根据 lwn.net :
因此,如果你的 ubuntu 确实是最新的,那么它应该很早就安全了。
另外,我记得在该错误公布后不久就看到了更新。
因此,要么修复不正确,要么您的系统没有正确更新,并且已经有两周没有更新了。内核更新需要重新启动系统。
顺便问一下,编程问题在哪里?
According to lwn.net :
So if your ubuntu is really up-to-date, it shouldhave been safe quite early.
Plus I remember seeing the update relatively soon after the bug was announced.
So either the fix is incorrect, or your system are not updated correctly, and have not been for something like two weeks. Kernel updates need a reboot of your system.
Where is the programming question, by the way ?